Checking Audit Logs for Tampering - 18 Dec 2006

Four specific situations indicate that your audit logs might have been altered.

ITPro Today

December 17, 2006

2 Min Read
ITPro Today logo in a gray background | ITPro Today

Is there anything built into Windows that can verify that the Securityevent log hasn’t been tampered with (i.e., modified, added to, or deletedfrom)?

First, it’s important to understand that tampering with the Windows event logs isn’t easy. One can’t open the Windows Security log and directly edit it because the event logging service always has the file opened exclusively. Furthermore, there’s no API in Windows for changing or deleting events in the Security log—only for reporting new events. Basically, one must have either administrator authority or physical access to tamper with the Security log.

That said, you can’t be absolutelysure that the log hasn’t been tampered with—the best you can do iskeep a sharp eye out for evidence thatthe log might have been altered. Lookfor the following events or occurrences:

  • Event ID 517, which indicates that the audit log was cleared and reports who cleared it.

  • Event ID 512, which logs a system restart. The system (including the Security log) is vulnerable to tampering during a system restart.

  • The Event Log Service inexplicably crashes or you find a file called dummy.dat in C:windowssystem32

  • config. These occurrences can indicate that someone with administrative authority executed Win-Zapper, a hacker tool that can be used to delete event log records.

  • An administrator account is compromised, meaning someone could try to use the compromised account to alter the Security log.

The best way to ensure theintegrity of the Security log is to sendsecurity events as they occur toanother system that’s secured withseparate administrator credentials.Many Security log consolidation products include the functionality toensure the confidentiality and integrityof the Security log as it traverses thenetwork. Windows versions beforeWindows Vista lack this functionality,but there are many event log management solutions that ensure confidentiality and integrity with or withoutagents. For information about free logmanagement tools, see “Security LogCollection,” November 2006, Instant-Doc ID 93330.

About the Author

ITPro Today

ITPro Today

See more from ITPro Today
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

a gavel at the center of a maze
Regulatory Compliance
Guide To Navigating the Legal Perils After a Cyber IncidentGuide To Navigating the Legal Perils After a Cyber Incident
byIan Horowitz
Sep 20, 2024
7 Min Read
4 different colored figures standing on different sized piles of coins
IT Management
6 Decades After Civil Rights Act, Racial Pay Gap in IT Persists6 Decades After Civil Rights Act, Racial Pay Gap in IT Persists
byJoe Milan
Sep 19, 2024
9 Min Read
skills dial
IT Operations
ERP Skills Outpace AI in 2024 as Demand for IT Strategy SoarsERP Skills Outpace AI in 2024 as Demand for IT Strategy Soars
byNathan Eddy
Sep 23, 2024
7 Min Read
Exclusive ITPro Resources
See all ITPro Resources

Featured How Tos

screenshots of PowerShell code fly off of a laptop screen
PowerShell
PowerShell Screen Captures: How To Automate Screenshots in Your ScriptsPowerShell Screen Captures: How To Automate Screenshots in Your Scripts
tablet with "cloud computing" on the screen on top of financial documents and calculator
Cloud Computing
Guide to Cloud Computing ETFsGuide to Cloud Computing ETFs
A cartoon of a person sitting at a computer, with speech bubbles—one from the person saying Hello and one from the computer responding with Hello
PowerShell
PowerShell Speech Recognition: How To Set up Voice Commands and ResponsesPowerShell Speech Recognition: Set up Voice Commands and Responses
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up
Trending

Recent What Is

list of domains within the umbrella category of IT security
IT Security
What Is IT Security? Essentials of IT Security ExplainedWhat Is IT Security? Essentials of IT Security Explained
ITPro Today's tech careers quick reference guide cover
Career Management
Tech Careers: Quick Reference Guide to IT Job TitlesTech Careers: Quick Reference Guide to IT Job Titles